On Security, Cisco "Shocked" in 2008

Cisco today revealed its take on the current state of IT security.
The major trends? Vulnerabilities are on the rise, with blended and virtualization
attacks becoming increasingly the norm.

According to Cisco, as of the end of October 2008, over 5971 IT vulnerabilities had
been tallied, which is a year over year increase of 11.5 percent over the 5353
vulnerabilities for 2007. Cisco also reported a year over year increase of 90 percent in
the volume of attacks that come from legitimate domains.

"Even though we were aware of the severity of the threats on the Web and in particular
the attacks on legitimate Web sites, the ferocity and volume of those attacks in 2008 was
very much of a shock," Patrick Peterson, Cisco Fellow and chief security researcher, told
InternetNews.com. "It really defied all of our worst case scenarios."

Cisco's report claims that exploited Web sites in 2008 were responsible for 87 percent
of all Web-based threats. Overall Cisco reported that Buffer overflow, Denial of Service
(DoS) and Cross Site Scripting (XSS) attacks led the total vulnerability count.

Peterson clarified that volume of reported vulnerabilities is not the same as volume
of attacks. Peterson noted that attacks on Web sites in 2008 were primarily by way of SQL
injection.
BusinessWeek Online was among the sites attacked by SQL injection in 2008.

Peterson also pointed the finger at Web browser add-ons, which he argued were easy to
exploit in 2008. If attackers want to take advantage of an add-on vulnerability, all they
have to do is get the browser to visit a Web page with a malicious code Flash object on
it. He added that the problem with add-on vulnerability often stems from the fact that
users aren't always running the most up to date versions of the software.

"Add-on patching and updates don't seem to have the same kind of rigor or delivery
vehicle as more standard apps," Peterson said. "I just installed Windows Update, but when
it comes to something like Flash, the way it gets updated, it doesn't seem to have the
same kind of rigor. It leads people to have an OS {operating system} that is patched but
some kind of browser plugin that is not patched and they don't even know how to get the
patch."

Lawrence made his add-on comment during a discussion this year on clickjacking, which is
a new attack vector that was not included in Cisco's report. Peterson explained that
details on clickjacking emerged after Cisco began to put together its report.

In a clickjacking attack an attacker hides an object underneath a legitimate object or
button, such that a user is completely unaware of what they might be clicking. Peterson
commented that he doesn't believe that clickjacking is currently a widespread attack but
that it is a very clever and scary attack vector.

Perhaps more surprising,
DNS-related attacks did not happen in a widespread manner in 2008. Security
researcher
Dan Kaminksy revealed that most DNS servers were at risk from a cache poisoning
attack that could have redirected users to arbitrary sites.

Peterson noted that when the flaw was
first revealed in July he anticipated massive DNS hacking activities. That didn't
happen. Instead, from Peterson's point of view, the aggressive patching effort that
culminated in Kaminsky's
full disclosure in August likely averted any widespread DNS hacking activity.

In fact, Peterson sees the Kaminsky attack as a new type of positive trends for the IT
security community.

"If you look at clickjacking and the Kaminsky attack, those are two great examples of
what the security community would not have done 12 months ago," Peterson commented.
"Those issues were patched before they were publicly disclosed and that's a little bit of
a silver lining we can see in doing our battle with the criminals."

Another silver lining in 2008 came in the fight against spam with the shutdown of the
McColo ISP in November.

"With the McColo shutdown, we did see a dramatic reduction in spam, with volumes down
by 66 percent," Peterson said. "This is the first substantive change we've seen in the
annual doubling of spam since 2004. It does offer some hope, in that by focusing on the
command and control nodes as a way to take out botnets and that's something I can see get
spam get pushed back down."